Pages

Wednesday, June 6, 2012

Tinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda bot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with enough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing very consistent is 13 byte initial RC4 encoded request.
I am posting details here, if you come up with a signature, please share with Emerging Threats or here.

It hooks into browsers and steals login data and sniffs on network traffic.

Uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of certain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give away additional sensitive data such as credit card data or TANs.

No packing or advanced encryption (yet)

It allocates new memory space where this specific injection function is stored and injects itself into the newly created process “winver.exe” (Version Reporter Applet) dropped into the windows system folder.

Tinba also injects itself into both "explorer.exe" and "svchost.exe" processes.

Tinba uses primarily four different libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll and user32.dll.

The main components are copied into the[%userprofile%]/Application Data/Default/bin.exeand the encrypted configuration file “cfg.dat” accompanied by the webinject file named “web.dat”.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.